Samsung mobile launches bug bounty program

Crack a Galaxy or bash Bixby and score US$20K to $200K

Samsung's mobile limb has become the latest major vendor to launch a bug bounty program, and within its tight rules, it offers a tasty maximum prize of US$200,000.

The bounty is for newer devices only – 38 mobile devices launched since 2016, including Galaxies S, Note, A, J, and Tab, and the top-of-the-line the S8, S8+, and Note 8.

Sammy also wants researchers to look over its branded services (like Bixby and Pay) and applications signed by Samsung Mobile or approved third-party packages.

Only currently-active services and fully-updated applications are eligible, and third-party app vulnerabilities have to be Samsung-specific.

Debugger-level attacks (which demand physical access and/or jailbroken devices) are excluded, as are low-probability attacks, phishing or clickjacking, and an attacker has to submit their exploit along with the bug report (the full conditions are here).

The full range of possible rewards runs from US$20,000 to $200,000.

As the company's reporting page notes, bugs submitted for the bounty will be subject to a responsible disclosure policy. This includes a promised 48-hour response time by Samsung to the reporter, and a commitment to apply the company's best efforts to ship patches within 90 days. ®